Public/winfsp
1
0
Fork 0
mirror of https://github.com/winfsp/winfsp.git synced 2026-03-06 23:59:26 -06:00
Code Activity

sys: FspFastIoDeviceControl: check input/output buffer lengths

Browse Source
This commit is contained in:
Bill Zissimopoulos
2026-02-17 17:07:28 +02:00
parent ae40f0edb1
commit 13d306f586
2 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/sys/devctl.c
View File

@@ -72,6 +72,13 @@ BOOLEAN FspFastIoDeviceControl(
if (!Result) if (!Result)
FSP_RETURN(); FSP_RETURN();
if (0 != InputBufferLength &&
FSP_FSCTL_DEFAULT_ALIGN_UP(sizeof(FSP_FSCTL_TRANSACT_RSP)) > InputBufferLength)
FSP_RETURN(IoStatus->Status = STATUS_INVALID_PARAMETER);
if (0 != OutputBufferLength &&
FSP_FSCTL_TRANSACT_BUFFER_SIZEMIN > OutputBufferLength)
FSP_RETURN(IoStatus->Status = STATUS_BUFFER_TOO_SMALL);
PVOID SystemBuffer = 0; PVOID SystemBuffer = 0;
if (0 != InputBufferLength || 0 != OutputBufferLength) if (0 != InputBufferLength || 0 != OutputBufferLength)
{ {

14
tst/winfsp-tests/mount-test.c
View File

@@ -234,6 +234,20 @@ void mount_volume_transact_dotest(PWSTR DeviceName, PWSTR Prefix)
FSP_FSCTL_TRANSACT_REQ *Request = (PVOID)RequestBuf, *NextRequest; FSP_FSCTL_TRANSACT_REQ *Request = (PVOID)RequestBuf, *NextRequest;
FSP_FSCTL_TRANSACT_RSP *Response = (PVOID)ResponseBuf; FSP_FSCTL_TRANSACT_RSP *Response = (PVOID)ResponseBuf;
RequestBufSize = 0;
Result = FspFsctlTransact(VolumeHandle, ResponseBuf, 1, 0, &RequestBufSize, FALSE);
ASSERT(STATUS_INVALID_PARAMETER == Result);
RequestBufSize = 0;
Result = FspFsctlTransact(VolumeHandle, ResponseBuf, 1, 0, &RequestBufSize, TRUE);
ASSERT(STATUS_INVALID_PARAMETER == Result);
RequestBufSize = FSP_FSCTL_TRANSACT_BUFFER_SIZEMIN - 1;
Result = FspFsctlTransact(VolumeHandle, 0, 0, RequestBuf, &RequestBufSize, FALSE);
ASSERT(STATUS_BUFFER_TOO_SMALL == Result);
RequestBufSize = FSP_FSCTL_TRANSACT_BATCH_BUFFER_SIZEMIN - 1;
Result = FspFsctlTransact(VolumeHandle, 0, 0, RequestBuf, &RequestBufSize, TRUE);
ASSERT(STATUS_BUFFER_TOO_SMALL == Result);
ResponseBufSize = 0; ResponseBufSize = 0;
RequestBufSize = sizeof RequestBuf; RequestBufSize = sizeof RequestBuf;
Result = FspFsctlTransact(VolumeHandle, 0, 0, RequestBuf, &RequestBufSize, TRUE); Result = FspFsctlTransact(VolumeHandle, 0, 0, RequestBuf, &RequestBufSize, TRUE);